Comments (8)
then it should first check for the presence of the authorization context before even resolving
It shouldn't. We cannot check for the context before making an authorization attempt or check.
This exception is meant for preventing misconfiguration problems. If you want to use policies to prevent unauthenticated access (which, IMO, is not the best way to deal with the problem), you should check for the user presence in a pre-check (that would cause ActionPolicy::Unauthorized
exception and halt the resolving process).
from action_policy-graphql.
What is the best way to prevent unauthenticated access? A normal before_action
in the graphql_controller
?
from action_policy-graphql.
A normal before_action in the graphql_controller?
If the whole graph should be protected from the unauthenticated access, then—yes, it's better to handle this at the controller level.
You can respond with a GraphQL-compatible JSON manually, for example:
before_action :require_authentication!
def require_authentication!
return if current_user
render json: {
errors: [
message: "Unauthenticated"
]
}
end
from action_policy-graphql.
In case we need to protect only some fields, we usually use a visibility concept. Check out this deck: https://speakerdeck.com/ssnickolay/authorization-in-the-graphql-era?slide=50
from action_policy-graphql.
Thanks @palkan! These were helpful.
from action_policy-graphql.
Hmm, @palkan , the before action solution works. But how will I be able to bypass the check for mutations such as login and register which do not need the user to be logged in prior?
I noticed the visibility concept only works for fetching data/fields. Wondering how to secure some/most 'endpoints' before resolving. Eg for an 'updateUser' mutation
from action_policy-graphql.
I noticed the visibility concept only works for fetching data/fields
Mutation/subscriptions are also fields, so, you can use visibility for them as well.
for mutations such as login and register which do not need the user to be logged in prior?
Well, then you cannot move the authentication check to the controller level. Or, you can use a different schema/endpoint for such actions; this is also an option to consider.
from action_policy-graphql.
Thanks @palkan. I'll try the different options and let you know
from action_policy-graphql.
Related Issues (20)
- Using authorized_scope on input HOT 7
- Figure out mutation/resolver input or arguments authorization HOT 5
- `expose_authorization_rules` Changes HOT 4
- Graphql context in Policies? HOT 2
- Handle record with preauthorize? HOT 2
- verify_authorized HOT 2
- Exposed authorization rules can't be accessed without user context HOT 5
- can_create_object? permission location HOT 2
- Allow to use proc for authorized_scope HOT 1
- Lack of expose_authorization_rules for Interface HOT 2
- AuthorizedField is included (prepended) multiple time into field class
- NoMethodError: undefined method `authorize_mutation_raise_exception'
- Modules reloading works incorrectly in development HOT 1
- Can ruby-next be a development-only dependency like action_policy? HOT 2
- Upgrading graphql Gem to 1.12.4 Causes Connection Error HOT 1
- how to authorize scope at resolver level HOT 3
- expose_authorization_rules with custom context
- Unable to override `authorization_namespace` HOT 11
- ActionPolicy does not work well with graphql-ruby dataloaders (not thread/fiber safe) HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from action_policy-graphql.